A CONTROL STRATEGY ALGORITHM FOR FINITE 
ALTERNATING TRANSITION SYSTEMS * 



JINJIN ZHANGt, ZHAOHUI ZHU*, AND JIANFEI YANG§ 

Abstract. Recently, there has been an increasing interest in the formal analysis and design 
of control systems. In this area, in order to reduce the complexity and scale of control systems, 
finite abstractions of control systems are introduced and explored. Amongst, Pola and Tabuada 
construct finite alternating transition systems as approximate finite abstractions for control systems 
with disturbance inputs [SIAM Journal on Control and Optimization, Vol. 48, 2009, 719-733]. Given 
linear temporal logical formulas as specifications, this paper provides a control strategy algorithm to 
find control strategics of Pola and Tabuada's abstractions enforcing specifications. 
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1. Introduction. The formal analysis and design of control systems is one of re- 
cent trends in control theory. The formal analysis is concerned with verifying whether 
a control system satisfies a desired specification, while the purpose of the formal de- 
sign is to construct a controller for control system so that it meets a given specifica- 
tion. Traditionally, stability and reachability are considered as specifications in the 
control-theoretic community [T^ [13] . Recently, there has been an increasing interest 
in extending the formal analysis and design by considering more complex specifica- 
tions [llllli[9l[ni|18l|20l[2a[29]. In these work, temporal logic [D H 1 HH |27] , 
regular expressions [TB], and transition systems [l^ are used to describe specifications. 
Amongst, temporal logic, due to its resemblance to natural language and the existence 
of algorithms for model checking, is widely adopted for task specification and con- 
troller synthesis in control theory. For example, linear temporal logic (LTL) has been 
adopted to describe the desired properties of discrete-time linear systems [27] and 
continuous-time linear systems [T7]. In addition, Computation Tree Logic (CTL)[3] 
and LTL[51[n] are applied to express specifications in the area of mobile robotics. 

The formal analysis and design of large-scale control systems is difficult because 
of the complexity and scale of systems. In order to reduce the complexity and scale, 
finite abstractions are extracted from these control systems [T] HT] [H] . Usually, finite 
abstractions and original systems share properties of interest and the analysis and 
design of finite abstractions is simpler than that of original control systems. Thus 
the analysis and design of control systems is often equivalently performed on the 
corresponding finite abstractions. So finite abstractions are extremely useful in the 
formal analysis and design. 

Much work has been devoted to the construction of finite abstractions of control 
systems. For instance, Tabuada and Pappas identify critical properties of discrete- 
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time linear systems ensuring the existence of finite abstractions 28J . Symbolic models 
of nonlinear control systems are constructed in 130] • Finite abstractions of hybrid 
systems are studied in [31 [31 [HI [ISl [H] • An excellent review of these work may be 
found in [I]. 

In the work mentioned above, researchers consider control systems without refer- 
ence to disturbances. However, as pointed out by B C. Kuo in [19 , all physical sys- 
tems are subject to some types of extraneous disturbances or noise during operation. 
Recently, Pola and Tabuada extend the above work to control systems affected by dis- 
turbances [23l [24] . A mathematical structure called alternating transition system is 
presented as symbolic abstraction of control system with disturbance inputs [23J [M] . 
Under the assumption that control systems are bounded, such abstractions are finite. 

In [5] [37] [in] , usual transition systems are adopted as finite abstractions of con- 
trol systems. Some approaches are presented to construct control strategies of these 
finite abstractions enforcing specifications. Further, based on such control strategies, 
controllers of original control systems are generated to meet specifications. So the 
construction of control strategies of finite abstractions is one of the important steps 
in the formal design of control systems. However, since Pola and Tabuada's abstrac- 
tions |23[ 124] are modeled by alternating transition systems rather than usual transi- 
tion systems, the approaches provided in i9,j2X,[29j are not suitable for establishing 
control strategies for Pola and Tabuada's abstractions. To overcome this defect, this 
paper will present a control strategy algorithm based on Kabanza et al.'s planning 
algorithm [16) to solve the following control problem: given a finite, non-blocking 
alternating transition system T and a specification, how to find an initial state and a 
control strategy of T enforcing the given specification? Clearly, this algorithm can be 
used to find control strategies for Pola and Tabuada's finite abstractions. 

The rest of this paper is organized as follows. In Section 2, we recall the notion 
of alternating transition system and present the control problem mentioned above in 
detail. Section 3 recalls some notions and results about Kabanza et al.'s planning 
algorithm. Based on their algorithm. Section 4 provides a control strategy algorithm. 
In Section 5, we explore the correctness and completeness of this algorithm. Finally, 
we conclude the paper with future work in Section 6. The appendix includes the 
proofs of some results of this paper. 

2. Alternating transition system and control problem. Before recalling 
the notion of alternating transition system, we introduce some useful notations. The 
symbol N denotes the set of positive integers. For any set A, denotes the set of all 
non-empty finite strings over A, and A" represents the set of infinite strings over A. 
Usually, we put A°° = y^A^ . We use s^, a a and a a to denote the elements of ^ 

and v4°°, respectively. If A is known from the context, we will omit the subscript 
in SAi <^ A and a a- For any s £ s[z] and s[e?ic?] mean the i-th element and the 
last element of s, respectively. Given i < j, s[i,j], s[i,end] and cr[z,(X)] represent 
s[i]s[i -I- 1] • • • s[j], s[i]s[i + 1] ■ ■ ■ s[end] and o'[i](T[z -I- 1] • • • , respectively. As usual, |s| 
means the length of s. For any a £ A", \a\ is set to be oo. 

Pola and Tabuada provide finite abstractions for control systems with disturbance 
inputs. For these control systems, the inputs consist of control and disturbance inputs, 
where the former are controllable and the latter are not. Usual transition system can 
not capture the different roles played by these two kinds of inputs. To overcome this 
obstacle, Pola and Tabuada adopt alternating transition systems as models of these 
control systems and their abstract systems [23l [24] . 

Definition 2.1. An alternating transition system is a tuple: 
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T={Q,A,B,^,0,H), 

consisting of 

• a set of states Q; 

• a set of control labels A; 

• a set of disturbance labels B; 

• a transition relation -^<Z Q x A x B x Q ; 

• an observation set O; 

• an observation function H : Q ^ O. 

An alternating transition system is said to be 

• finite if Q, A and B are finite; 

• non-blocking if {q' : q q'} ^ for any q Q, a E A and b E B. 

An infinite sequence a E is said to be a trajectory of T if and only if for all 

i E N, (T[i] ""'''> cr[i + 1] for some Oi E A and bi E B. 

In the above definition, a transition label is a pair < a, 6 >, where the former 
is used to denote eontrol input and the latter represents disturbance input. Pola 
and Tabuada construct non-blocking alternating transition systems as abstractions of 
control systems with disturbance inputs 23, 24 . Under the assumption that control 
systems are bounded, their abstractions are finite. The related notions and results 
can be found in PSJUJ. 

This paper aims to provide an approach to obtain control strategies of Pola and 
Tabuada's finite abstractions to meet specifications. Formally, we will solve the fol- 
lowing control problem: 

Problem 1. Given a finite, non-blocking alternating transition system T and 
a specification, how to find an initial state and a control strategy of T enforcing the 
given specification? 

In this paper, the specifications mentioned above will be described by the linear 
temporal logic LTL_x H- The LTL_x formulae have been used to specify the desired 
properties of control system and its abstraction in [T7]. We recall this logic below. 

Definition 2.2. [T^ Let f be a finite set of atomic propositions. The linear 
temporal logic LTL^xi^) formula over P is inductively defined as: 

ip p\^(p\ipi A ip2\(piV(p2 

where p £ P. 

The operator U is read as "until" and the formula (piXJ(p2 specifies that (pi must 
hold until (p2 holds. The semantics of LTL_x(P) formulae are defined below. 

Definition 2.3. Let ap be any infinite word over 2' (i.e.,ap E (2^)'^). The 
satisfaction of LTL^x(J?) formula ip at position i E N of the word ap, denoted by 
(Tp[i] \= ip, is defined inductively as follows: 

(1) ar[i] hp iffP G f^rW/ 

(2) CTp[i] 1= -iiy9 iff crp[i] \= p) does not hold; 

(3) av[i] ^pi ^P2 ifJo-p\i] h crp[«] N f^; 

(4) o'p[i] h ¥'iU932 iff there exists j > i such that crp[j] \= p2 o,nd for all k E N 
with i < k < j, we have crp[fc] ^ fi- 

A word CTp satisfies an LTL^xiJ?) formula p, written as dp ^ 'fj 'if o-n-d- only if 
ap[l] h V- 

Definition 2.4. Let T = {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system, P a finite set of atomic propositions and let Y\ : Q be 
a valuation function. For any LTL^xiJ?) formula (j), an infinite sequence a E 
is said to satisfy (j) w.r.t Y\, written as a hn '''^'^ on^j/ if J^((t) ^ 4'j where 

n('^)-n('^[i])n(^[2])---. 
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If the valuation function Y[ is known from the context, we often omit the subscript 

in hn- 

3. Kabanza et al.'s algorithm. To solve Problem [1] we will provide a control 
strategy algorithm based on Kabanza et al.'s planning algorithm. This section recalls 
some notions and results about Kabanza et al.'s algorithm. More details can be found 
in [IB]. 

Kabanza et al. develop their work in the framework of reactive agent. Given a 
finite set Q of world states, a reactive agent is described as a pair (qo,succ), where 
(7o G Q is an initial world state and succ is a transition function. For any world state 
q & Q, succ{q) returns a list ((ai, di, Wi), • ■ • , (a„, fi„, where is an action 

that is executable in q, di is a strictly positive real number denoting the duration 
of a.i in g, and Wi Q Q \s the set of nondeterministic successors resulting from the 
execution of in q. As usual, if q' G Wi for some i < n, then we denote by q —4- q' 
that q' is a successor of q resulting from the execution of in q. 




Fig. 3.1. Reactive Agent 

Example 3.1. Fia \S.l\ illustrates the reactive agent (qi,succ) , where succ{qi) = 
((ai,l,{'72}),(&i,l,{g3})), succ{q2) = ((aa, 1, {qi, qs})), and succ{qz) = ((og, 1, {173})). 
Since the durations of all actions are 1, we do not indicate them in this figure. 

Definition 3.1. JWj A reactive plan is represented by a set of situation control 
rules (SCRs), where an SCR is a tuple of the form {n,q,a,N) such that: 

• n is a number denoting a plan state; 

• q is the world state labeling the plan state n and describing the situation when 
this SCR is applied; 

• a is the action to be executed in plan state n; and 

u N is a set of integers denoting plan states that are nondeterministic successors 
of n when a is executed]^. 

In the above definition, two kinds of states are referred to: world states and plan 
states. Each plan state is labeled by a world state and different plan states may be 
labeled by the same world state. Roughly speaking, these plan states labeled by the 
same world state q may denote different executive pathes along which the world state 
q is reached. So, since the actions to be executed in different plan states may not 
be identical, the choice of the actions in the world state q can be history dependent. 
That is, when q is reached along different pathes, the actions to be executed in q 
may be different. Before providing an example to illustrate the above argument, we 
describe the execution of a reactive plan as follows. 

We start the execution of a reactive plan by fetching the SCR corresponding to 
the initial world state. By convention, this is always the SCR with plan state 1. The 



^For any q' with q q' , there must he j £ N such that the corresponding world state of plan 
state j is q' . 
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corresponding world state describes the current situation before the agent executes 
any action. At any time, given the current SCR {n,q^a,N), the action a is executed 
and the SCR matching the resuhing situation is determined from the successor plan 
states in iV by getting an SCR {n' , q' , a' , N') such that n' e N. In this case, the 
current situation is q' and then a' is executed. 

(1, qi, fli, {2}) 



(2,^2,fl2, {3,4}) 




as 



Fig. 3.2. Executing Reactive Plan 

Example 3.2. Consider the reactive agent provided in Example \3.1[ Given a 
reactive plan 

i?P = {(1, <Zi, ai, {2}), (2, 92, 02, {3, 4}), (3, 93, as, {3}), (4, <zi, &i, {3})}, 
its execution is illustrated by Fia \3.S\ 

In this reactive plan, both plan states 1 and 4 are labeled by world state qi . Plan 
state 1 represents that qi is the initial state, while plan state 4 means that qi is reached 
from q2 by executing 02- Then it is easy to see that the actions to be executed in qi 
may be different when the pathes along which qi is reached is different. 

The trajectory generated by reactive plan is defined as follows. 

Definition 3.2. fTS^ Let {qi,succ) be a reactive agent and let RP = {((1, gi, oi, A^i), 
(2, q2, 02, A^2), ■ • • (fc, Ofe, J^k))} be a reactive plan of (qi, succ). An infinite sequence 
a of world states is said to be a trajectory generated by the reactive plan RP if and only 
if there exists an infinite sequence un = iii2 ■ ■ • £ {1, 2, • • • , k}'^ such that crAr[l] = 1 
and for all j G N, ij+i G Ni^ and qi - = (t[j]. 

Example 3.3. Consider the reactive agent and the reactive plan RP in Exam- 
vle \3.1\ and \3.S[ respectively. Let ai = '?i?2'?3 and G2 ~ <?! 929193 • It is easy to check 
that CTi and 02 are exactly trajectories generated by this reactive plan. 

Definition 3.3. Let V be a finite set of atomic propositions and let Y[ be a val- 
uation function that assigns each world state q a set Ylil) ^ -^or any LTL^x(P) 
formula (f>, a reactive plan is said to satisfy (j) w.r.t. ^ if and only if all trajecto- 
ries generated by this reactive plan satisfy (j) w.r.t. Yi^ ^nd there exists at least one 
trajectory generated by this reactive plan. 

Example 3.4. Consider the reactive agent and the reactive plan RP in Exam- 
ple \3.1\ and \3.SX respectively. Let P = {pi,P2,P3} and let Y\ : {qi, q2 , q^} 2^ be a val- 



^ Similar to Definition 12.41 we may define the satisfaction relation between LTL_x(P) formulas 
and trajectories generated by the reactive plan w.r.t. Yl- 
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nation function defined as: Hiqi) = {pi,P2}, 11(92) = {^2,^3} an-dlKq^) = {pi,P3}- 
It is easy to check that the reactive plan RP satisfies P2UP3 w.r.t. Y[- 

In [12], Kabanza et al. use Metric Temporal Logic (MTL) to specify the desired 
behaviors of reactive agent. Given a finite set P of atomic propositions, MTL(P) 
formulae are defined as: 

(p ::= p\^ip\ipi A ip2\X^t^\a^tip\ipiJJ^t'P2 

where p G P is atomic proposition, X^t, and U^f are called the next, always and 
until operators, respectively, ~ denotes either <, <, > or >, and t is a non- negative 
real. Intuitively, if a time constraint "~ t" is associated to a modal operator, then 
the modal formula connected by this modal operator must hold within a time period 
satisfying the relation f\ For example, ipiV>ty^2 means that ipi holds until ip2 
becomes true on the semi-open time interval [t,oo). So it is easy to see that U>o 
coincides with the usual until operator U. Thus linear temporal logic LTL_x(P) can 
be viewed as a sublanguage of MTL(P). 

Kabanza et al. also define the semantics of MTL(P). A careful examination 
shows that, when we only consider LTL_x(P) formulas, Kabanza et al.'s definition 
is coincided with Definition 13.31 Since the remainder of this paper will mostly refer 
to LTL_x(P) formulas, we do not recall the formal definition of the semantics of 
MTL(P). The interested reader may find it in Section 5.2 in 16]. 

Kabanza et al. provide an planning algorithm to construct a reactive plan satisfy- 
ing an MTL(P) formula (p for the given reactive agent and valuation function Y[- The 
detailed algorithm may be found in 1I6) . The following result comes from Theorem 
16 and the observation in Section 7.5 in [TB] . 

Theorem 3.4. fl6i Kabanza et al. planning algorithm is correct and complete. In 
other words, given a reactive agent {qo,succ), an MTL(¥) formula (j) and a valuation 
function Y\, if Kabanza et al. 's algorithm returns a reactive plan then this reactive plan 
satisfies (j). Moreover, Kabanza et al. 's algorithm can find a reactive plan satisfying (j) 
if such plan exists. 

Immediately, we have the following corollary, which is trivial but useful. 

Corollary 3.5. Given a reactive agent (go, succ), an LTL-x (P) formula (j) and 
a valuation function Y[, if Kabanza et al. 's algorithm returns a reactive plan then this 
reactive plan satisfies (j). Moreover, Kabanza et al. 's algorithm can find a reactive plan 
satisfying (p if such plan exists. 

Proof. Follows from Theorem l3.4l and the fact that linear temporal logic LTL_x(P) 
can be viewed as a sublanguage of MTL(P). □ 

4. Control strategy algorithm based on Kabanza et al.'s algorithm. 

The previous section has provided a brief overview about Kabanza et al.'s planning 
algorithm. This section will present a control strategy algorithm based on Kabanza 
et al.'s algorithm. Before providing this algorithm, we introduce the notion of control 
strategy. 

Definition 4.1. LetT ^ {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system. For any function f : — > A, we say f is a control strategy of 
T. For any q ^ Q and f : — >■ A, the outcomes Out^{q, /) (n G N) and Outxiq, f) 
of f from q are defined as follows: 

Out^q, f)^{s€ g" :s[l] q and VI < i < n3b, G B{s[i] ^^''^''''^'''') s[i + 1])}, 
Outriq, f)^{cre :cr[l] = q and Vi G G B{a\i] ■^^'"'^''''^''''> a[i + 1])}. 
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Furthermore, we define Out^{q, f) and Out'^{q, f) as: Out^{q, f) — UneN *-^"^t(9i /) 
and Out^{q, /) Out+{q, f) U Outriq, /). 

If alternating transition system T is known from the context, we often omit the 
subscripts in Out^{q, f), OutT{q, f), Out^{q, f), and Out^{q, f). 

Given a finite, non-blocking alternating transition system T, an LTL_x(IP) for- 
mula (j) and a valuation function we want to find an initial state q and a control 
strategy / of T so that a \= (f) ioi all a G Out{q, /). An algorithm, which is used to 
find such initial state and control strategy, is presented in Algorithm [T] below. 



(1) input: T, (f> and 0, where T = (Q, A, B, — 




(2) Construct a transition function succt from T 


(3) for all qo E Q do 




(4) Adopt Kabanza et al.'s algorithm to find 


a reactive plan RPkab of 


{qa,succT) enforcing cj) w.r.t. Y[ 




(5) if reactive plan RPkab is found then 




(6) i?P=SimplyReactivePlan(i?Pfcab) 


/*See Algorithm [l*/ 


(7) /J^p=FunctionStrategy(i^P) 


/*See Algorithm [3]*/ 


(8) Return qo and fjip 




(9) end if 




(10) end for 




(11) Return false 





Algorithm 1: Control strategy algorithm 



In Algorithm [TJ steps (2), (6) and (7) are needed to be further refined. We 
illustrate them in turn. 

Definition 4.2. Let T — {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system and A — {ai, 02, ■ ■ ■ , flfc}. The transition function succt w.r.t T 
is defined as: for any q G Q, we set succriq) — (('^ii 1: W^i): {0-2, 1, W2), • • • , (a^, 1, Wk)), 
where Wi = {q' e Q : q -^^^ q' for some b e B} for i = 1, 2, • • • fc. 

By Definition 12. 1[ for any finite, non-blocking alternating transition system T = 
{Q, A, B, — >, O, H), each set Wi mentioned above is finite and non-empty. Thus for 
any q G Q, {q, succt) is a reactive agent. Clearly, due to the finiteness of Q, A, B 
and — the function succt may be obtained using a simple algorithm. We leave it 
to interested reader. Before refining steps (6) and (7), we provide some notions and 
result below. 

Definition 4.3. LetT = {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system, q G Q and let succt be the transition function w.r.t T . Then 
any reactive plan of {q,succT) is said to be a reactive plan of T . 

Definition 4.4. Let RP = {(1, qi, ai, A^i), (2, 92, 02, iV2), • • • , (fc, g^, a^, TVfe)} be 
a reactive plan. For any finite sequence s G {1,2,- •• if\s\ > 1 and s[i-\-l] G N^^^ 

for all i < |s|, then s is said to be a finite path of RP. For any two pathes si and S2 
of RP, if Si[l] = 1 and si[end] = S2[l] ~ S2[end], then the pair (31,82) is said to be 
a reachable cycle of RP. 

The following result offers a sufficient and necessary condition for the existence 
of trajectory generated by reactive plan. 

Lemma 4.5. Let RP = {{l,qi,ai, Ni), (2,q2,a2, N2), ■ ■ ■ ,{k,qk,ak, Nk)} be a 
reactive plan. There exists a trajectory generated by RP if and only if there exists a 
reachable cycle (31,82) of RP. 
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Proof. (From Right to Left) Let (31,82) be a reachable cycle of RP. By Defini- 
tion 14.41 we have |s2| > 1. Then we set = sio (s2[2, end])", where (s2[2, end])" = 
S2[2, end] o S2[2, end] o ■ ■ ■ . Since (si, S2) is a reachable cycle of RP, it follows from 
Definition 14.41 that (Jn[^] — 1 and criv[i + 1] € -^o-nH for all i G N. Then we define an 
infinite a e {qi,q2, ■ ■ ■ , Qk}'^ as: a[i] — (/ajvW ^oy all i e N. Therefore, since crAr[l] = 1 
and aN[i + 1] G ^crNli] i G N, by Definition 13.21 a is generated by i?P. 

(From Left to Right) Let cr be a trajectory generated by RP. Then by Defi- 
nition there exists ctjv £ {li2,--- , fc}" such that crjv[l] = 1 and for all i G N, 
"■[*] = 'Zo-jvW and crjv[* + 1] G N^^^^. Since the plan state set {1, 2, • • • , fc} is finite, 
there exist j,n £ N such that 1 < j < n and cnIJ] — ["-]• Further, by Definition l4.41 
it is clear that (ctat [1, j], crAr[j, n]) is a reachable cycle of RP, as desired. □ 

Now we refine steps (6) and (7). These two steps aim to get a control strategy 
from a reactive plan. 

Step (6): In this step, given a reactive plan RP, we will simplify it in this way: 
for any {i, qi,ai, Ni) in RP, if there exist ji, J2, • " ' i jm G Ni with m > 1 and = qj^ 
for all n < m, then we remain one of them and remove others from Ni. Thus for any 
{i,qi,ai, Ni) in the simplified reactive plan and for any world state q, there exists at 
most one plan state j G Ni with qj = q. Formally, Step (6) is refined in Algorithm [2j 



Suppose that RP ^ {(1, gi, oi, iVi), (2, 52, 02, A^2), • ' • Ak.qk.ak, Nk)} 

(1) Simplify ReactivePlan(i?P){ 

(2) note ^ 

(3) while i < k and note = do 

(4) suffix=shortest_ path(i,i) 

(5) if suffix^ then 

(6) prefix=shortest_ path(l,i) 

(7) if prefix ^ then 

(8) note — 1; 

(9) end if 

(10) end if 

(11) end while 

(12) for all {i,q„a,,Ni) G RP 

(13) for all ji, j2, • • • , jm e Ni with m > 1 and = 9i2 = ' ' ' = 

(14) if for some I < m, there exists n < \prefix\ such that i^prefix[n] and 
ji=prefix[n+l] then 

(15) Ni^ N., - {ji, ■ ■ ■ ■ ■ ■ ,jm} /*Remove ji, ■ ■ ■ , 
• ■ • ,jm from N, */ 

(16) else if for some I < m, there exists n < \suffix\ such that i=suffix[n] 
and ji—suffix[n+l] then 

(17) Ni= N,- {ji, ■ ■ ■ ,31-1, ji+i, ■ ■ ■ /*Remove ji, ■ ■ ■ 

■ ■ ■ ,jrn from Ni */ 

(18) else if 

(19) Ni^ N,- {i2, js, • • • , jm} /^Remove j2, ja, • • • , jm from Ni */ 

(20) end if 

(21) end for 

(22) end for 

(23) Return RP} 



Algorithm 2: Simplifying reactive plan RP 
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In this algorithm, the lines (3)- (11) is used to find a reachable cycle {prefix,suffix). 
Amongst, we adopt DijKstra's algorithm [5] [5] to find the shortest pathes of RP from 
i to i and from 1 to i (see lines (4) and (6)). By Lemma and the completeness of 
DijKstra's algorithm [5] [6], prefix and suffix must can be found in this algorithm if 
the given reactive plan may generate trajectory. 

Suppose that RP may generate trajectory and the reachable cycle (prefix, suffix) 
has been found. The lines (12)-(22) aim to simplify the reactive plan RP based prefix 
and suffix so that the simplified reactive plan may generate trajectory. Since prefix is 
the shortest path from 1 to prefixfend], it is clear that there do not exist i,j < \prefix\ 
such that i ^ j and prefix [i]— prefix [j]. So, for the line (14) in Algorithm [21 there 
exists at most one natural number I such that I < m, i=prefix[n] and ji—prefix[n+l] 
for some n < \prefix\. Similar argument holds for the line (16). We provide a simple 
example below to illustrate Algorithm [2j 

Example 4.1. Consider the reactive plan RP = {(1, ai, {2}), (2, q2, 02, {1, 4}), 
(3, 93, 03, {1}), (4, qi, 04, {3})}. We adopt Algorithm\^ to simplify RP. It is easy to 
check that both suffix and prefix found in this algorithm are "121 ". For the SCR 
(2, g2, 02, {1, 4}) G RP, since both plan states 1 and 4 are labeled by qi and prefix = 
121, plan state 4 is removed from {1,4}. One may easily examine that the simplified 
reactive plan is {(1, gi, ai, {2}), (2, q2, 02, {1}), (3, q^, 03, {1}), (4, gi, 04, {3})}. 

In the above example, for the plan states 3 and 4 in the simplified reactive plan, 
there does not exist path from plan state 1 to these states, although such pathes exist 
for the original reactive plan. Thus a natural question arises: whether the simplifica- 
tion provided in Algorithm [2] may result in that the simplified reactive plan can not 
generate trajectory although the original reactive plan can do so. The following result 
reveals that this situation can not arise. 

Theorem 4.6. Let RP = {(1, gi, ai, iVi), (2, 92, 02, ^2), • • • , (fc, afe, A^^)} be a 
reactive plan. If RP generates trajectory, then so does the simplified reactive plan 
generated by Algorithm\^ 

Proof. Suppose that RP may generate trajectory. Then, by Lemma 14.51 and 
Algorithm [21 a reachable cycle [prefix, suffix) of RP must can be found. Consider the 
following two cases. 

Case 1. prefix[n]^ suffix [mj for any n < \prefix\ and m < \suffix\. Then, due 
to Algorithm [2l it is easy to check that both prefix and suffix are pathes of the 
simplified reactive plan. Further, since {prefix, suffix) is a reachable cycle of RP, by 
Definition 14.41 (prefix, suffix) is a reachable cycle of the simplified reactive plan. Thus 
by Lemma 14.51 the simplified reactive plan may generate trajectory. 

Case 2. prefix fn]— suffix fm] for some n < \prefix\ and m < \suffix\. Then by 
Algorithm[2l one may easily examine that both prefix and suffix[l,m]oprefix[n+l,end] 
are pathes of the simplified reactive plan. On the other hand, since (prefix, suffix) is 
a reachable cycle of RP, by Definition 14. 4| we get prefixfend]— suffix [1]— suffix [end]. 
Then by Definition 14.41 (prefix,suffix[l ,m]oprefix[n+ 1 ,end]) is a reachable cycle of the 
simplified reactive plan. Therefore, by Lemma 14. 5[ the simplified reactive plan may 
generate trajectory. □ 

Theorem 4.7. Let T — (Q, A, B, — >, O, H) be a finite, non-blocking alternating 
transition system, (j) an LTL^x(^) formula, Y[ a valuation function and let RP = 
{{l,qi,ai,N2), - ■ ■ , (k, qk. Ok, Nk)} be a reactive plan of T . We adopt Algorithmic to 
simplify RP. Then we have 

(1) For any (i,qi,ai, Nf) in the simplified reactive plan and for any q ^ Q, there 
exists at most one plan state j G Ni with qj ~ q. 
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(2) If RP satisfies (j) then the simplified reactive plan also satisfies (j). 

Proof. (1) holds trivially. We prove (2) below. Clearly, by Algorithm [2l the tra- 
jectories generated by the simplified reactive plan can be generated by RP. Therefore, 
by Theorem 14.61 and Definition 13.31 the conclusion (2) holds. □ 

Step (7). Next, we refine Step (7) in Algorithm 1. In this step, a control strategy 
will be obtained from the simplified reactive plan. For this purpose, some result and 
notion are provided below. 

Lemma 4.8. Let T — (Q,A,B, — >,0,H) be a finite, non-blocking alternating 
transition system and let RP — {{l,qi,ai, N2), • • • , {k,qk,ak, Nk)} be a reactive plan 
of T . Suppose that for any {i,qi,ai, Ni) G RP and q ^ Q, there exists at most one 
plan state j £ Ni with qj — q. Then for any s G , there exists at most one path 
SN G {1, 2, • • • , fc}+ such that \sn\ — \s\, SAr[l] = 1 and s[j] = qsj^y] for all j < \sn\. 

Proof. Induction on the length of s. □ 

Definition 4.9. LetT — {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system and let RP ~ {{l,qi, ai, N2), ■ ■ ■ , {k,qk, Ok, Nk)} be a reactive 
plan of T . Suppose that for any {i,qi,ai, Ni) £ RP and state q ^ Q, there exists 
at most one plan state j £ Ni with qj — q. The control strategy fpp ■ —> A 
generated by reactive plan RP is defined as: for any s G , if there exists a path 
SN G {1,2,-- - ,k}~^ such that \sn\ = \s\, SAr[l] = 1 and s[j] = QsnU] f°^ J — kl 
then we set /ijp(s) = Oswlend]; otherwise we put fRp{s) = ai. 

By Lemma l478l the control strategy fup defined above is well-defined. The func- 
tion FunctionStrategy{RP) in Step (7) in Algorithm [1] is capable of producing such 
control strategy. The algorithm realizing this function is presented in Algorithm |31 



Suppose that RP = {(1, (ji, ai, TVi), (2, (j2, 02, A^2), • • • ,{k,qk,ak,Nk)} 
FunctionStrategy (i?P){ 

(1) input: s /*s is an array denoting a sequence of world states*/ 

(2) SeqOfPS[l]=l /*SeqOfPS is an array denoting a sequence of plan states*/ 

(3) if s[l] ^ qi then 

(4) Return ai 

(5) end if 

(6) i = 2 

(7) while i < \s\ do 

(8) k =SeqOfPS[i - 1] 

(9) if s[i] = qj for some j E Nk then 

(10) ScqOfPSH = j 

(11) i = i + l 

(12) else 

(13) Return ai 

(14) end if 

(15) end while 

(16) k =SeqOfPS[i - 1] 

(17) Return a^} 

Algorithm 3: Producing control strategy fnp 

Due to the following result, if the simplified reactive plan obtained by performing 
Algorithm [3] satisfies formula cj) then it can generate a control strategy fup so that 
a \= (f> for all a G Out{qi, fup). 
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Fig. 4.1. Finite, non-blocking alternating transition system 



Theorem 4.10. Let T — {Q,A,B, — >,0,H) be a finite, non-blocking alter- 
nating transition system, (f> an LTL^xi^) formula, Y\ a valuation function and let 
RP = {(1, Qi, ai, A^2), • • • , (fc, <Zfe, Ofc, iVfe)} be a reactive plan of T . Suppose that for 
any (i,qi,ai, Ni) £ RP and state q € Q, there exists at most one plan state j G Ni 
with qj — q. Let fnp be the control strategy generated by RP. Then we have 

(1) Out{qi, fnp) exactly contains trajectories generated by the reactive plan RP, 

(2) if RP satisfies 4> then a \= 4> for any a € Out{qi, fup). 

Proof By Definition |4T1 and l4Jl it is easy to prove (1). Then (2) follows 
immediately. □ 

Corollary 4.11. Let T = {Q,A,B, — >,0,H) be a finite, non-blocking alter- 
nating transition system, (j> an LTL-x{^) formula and letY\: Q be a valuation 
function. If there exists a reactive plan RP of T satisfying (j), then Algorithm]^ can 
find an initial state q and a control strategy f so that a \= <j) for all a G Out[q, /). 

Proof Follows from Corollary [321 Algorithm [U Theorem l4Jl and QUI □ 

Inspired by Theorem 14. 101 someone may conjecture that given an initial state qo 
and a control strategy /, there exists a reactive plan RP such that Out{qo, f) exactly 
contains trajectories generated by RP. This conjecture does not always hold. A 
counterexample is given below. 

Example 4.2. Consider a finite, non-blocking alternating transition system 



do not indicate it in this figure. A control strategy f : {qi, (72}^ {o., b} is defined as 
for any s G {91,172}+, 



Define a family of finite sequences Sk (k Cz N) as: si = (71(72 and for any k > I, 
Sk — qiSk-i- Let a ~ S1S2S3 • • • • Thus a ^ a-[l, n]{a[n + 1, rn])" for any n, m G N 
with n < m. It is easy to check that Out{qi, f) = {cr}. 

Now we show that there does not exist a reactive plan such that a is a tra- 
jectory generated by this plan. Suppose that a is generated by the reactive plan 
RP = {(1, (71, ai, A^i), (2, g2, 02, ^^2), • • • , (fc, qk,ak, Nk)}. Then there exists a sequence 
fjv ~ *i*2 • • • over {1, 2, • • • ,k} such that ii = 1 and for all j G qi^ — a[j] and 
ij+i G . Since {1, 2, • • • , fc} is a finite set, we have ii — im for some I < m. On 
the other hand, since T is determined, we get Ni. — {ij+i\ for all j G N. Further, it 
follows from ii — i„i that = im+i- Similarly, we have ii+j = im+j for all j G N. 
Thus (Tat = 11^2 ■■■iio (i;+i • • • and then a qi^qi^ ■ ■ ■ <7i, o ('7j,+i • • • (li,„y ■ This 

contradicts that for any n, to G N with n < m, a ^ n\cr[n + 1, to]"^. 



where 





b if \s\ — n{n + 3)/2 — 1 for some n N 
a otherwise 
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5. Correctness and completeness of control strategy algorithm. The 

previous section presents a control strategy algorithm to solve Probleni[TJ This section 
will deal with its correctness and completeness. The former is ensured by the result 
below. 

Theorem 5.1. Given a finite, non-blocking alternating transition system T = 
{Q, A, B, — >, O, H), an LTL_x{P) formula 4> and a valuation function Yl ■ Q ^ '^^ > 
if control strategy algorithm returns a state qo and a control strategy fap, then a \= <j) 
for any a e Out{qo, fj^p). 

Proof. Suppose that control strategy algorithm returns a state qo and a control 
strategy fup. Then by Algorithm [U a reactive plan RP satisfying (p is found. Thus 
by Theorem 14.71 and | 4. 101 we have c |= for any a G Out{qo, fpp). □ 

The rest of this section concerns itself with the completeness of control strategy 
algorithm. That is, we consider the following question; given a finite, non-blocking 
alternating transition system T and an LTL_x(]P) formula 0, whether this algorithm 
must can find an initial state and a control strategy for T enforcing (p if such state 
and control strategy exist? We will provide a partial answer for this question. Before 
dealing with this issue, some related notions and results are recalled. 

Definition 5.2. A Bilchi automaton is a tuple A — {S, So, L, -^ji^, F), where 

• S is a finite set of states; 

• So S is a set of initial states; 

• L is an input alphabet; 

• — ^-^C S X L X S is a transition relation; 

• F C_ S is a set of accepting states. 

An infinite sequence a £ S'^ is said to be a run accepted by A if and only if 
a[l] 6 So, cr[j] -^A <^['i + 1] for all i € N and there exists x G F such that x appears 
infinitely often in a. 

The Bilchi automaton A is said to be total if both So and {x' : x \ x'} are 
singleton sets for any x £ S and / G L. 

Definition 5.3. Let A = {S, So, L, -^a, F) be a Bilchi automaton. An infinite 
sequence gl ^ L'^ is accepted by the Bilchi automaton A if and only if there exists a 

run a accepted by A such that a[i] "^^ \ _a + 1] for all i G N. 

In [3^, it was proven that for any LTL_x(IP) formula 0, there exists a Bitchi 
automaton A^ with input alphabet 2^ which accepts exactly the sequences a G (2'')'^ 
satisfying formula (j). The interested reader is referred to [TUl El HSl ISIl 122] for this 
topic. 

Definition 5.4. Let ¥ be a set of atomic propositions. An LTL^xi^) formula 
(p is said to be total if there exists a total Bilchi automaton A^ with input alphabet 
such that A^ accepts exactly the sequences a G (2')'^ satisfying cp. 

Adopting the tool LTL2BA provided by Oddoux and Gastin [35], we may check 
that the following formulae are total: piXJp2, O^piXJm), o(piUp2), ^{pi ~^ P2), 
□ o (pi — >■ P2), — > 0P2), opAoqAotA or, and so onQ Some of these formula are 
considered as control specifications in 0. 

Convention. For convenience, for any total LTL^x{^) formula (p, A^ denotes 
a total Bilchi automaton with input alphabet 2^ which accepts exactly the sequences 
G G (2''')" satisfying (p. 

In the remainder of this section, we will prove that the control strategy algorithm 
in Algorithm [T] is complete w.r.t. total LTL_x(IP) formulae. Formally, we want to 



•^The connective — > and temporal operators □ and o can be defined as usual, see |27l I32| . 
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demonstrate that, given a finite, non-blocking alternating transition system T, an 
LTL_x(IP) formula and a valuation function Y[, if is total and there exists a state 
qo and a control strategy /o so that cr ^ (/> for all a G Out{qo,fo)^ then the control 
strategy algorithm can find an initial state q and a control strategy / of T enforcing 
0. According to Corollarv l4.111 it is enough to prove that there exists a reactive plan 
of T satisfying (j). So in the rest of this section, we will construct such reactive plan. 
The desired reactive plan will be obtained from the production automaton of T and 
A(i, defined below. Similar constructions have appeared in [SJ [T71 [57] . 

Definition 5.5. LetT = {Q,A,B, — >,0,H) he a finite, non-blocking alternat- 
ing transition system, qo Q, (j> a total LTL-x{^) formula, A,p = {S, {xq}, 2*", -^a^, F) 
and let Y[ ■ Q 2^ be a valuation function. The product automaton of the pair (T, qo) 
and A(f, is defined as A^ = {St, Sj^, A, B, — >, -Ft), where 

• St = Q-x S; 

• 5^ = {{qo,xa)}; 

• — J>C St X a X B X St is a transition relation defined as: {q,x) -^-?> {q',x') if 
and only if q — > q and x x ; 

• Ft — Q X F is a set of accepting states of A^ . 

An infinite sequence ctt G (•S't)" is said to be a run accepted by A^ if and only 
if the following hold: 

(1) aT[l] e 

(2) for all i £ N, (Tt[*] '> ctt[? + 1] for some Oi a A and bi G B, and 

(3) there exists {q,x) G Ft such that {q,x) appears infinitely often in gt ■ 

It is clear that the sets St and Ft are finite. For any (finite or infinite) sequence 
c^T = a;i)((72, 2^2) ■ • ■ over 5*^, we define the projections Xt^olt) — 9192 ■• ■ and 
TaC^t) = XxX2 ■■■ ■ 

Lemma 5.6. | j7| / The projection Xt{<^t) of any accepted run ot of AI^ is a 
trajectory of T satisfying (j). 

Clearly, for any control strategy / : A oiT, the function /t : {St)^ A 

defined as /t = /oTt is a control strategy of A1^ . The outcome Out^4> {{qo, 2:0), /t) 

of /t from {qo,xo) is defined as Out ((go, a^o), /t) — Wt G {St)'^ ■ o-t[1] = 

(9012^0) and Vi G N3&i G B{aT[i\ ■ — — > cttI^ + 1])}}- Similarly, we may define 

Oui% {{qo,xo),fT) {n G N), Out+, ((go, a^o), /t) and Out^, ((go, a^o), /t). For 

simplicity, we often omit the subscripts in them. 

Lemma 5.7. Let T = {Q,A,B, — >,0,H) be a finite, non-blocking alternating 
transition system, qo Q Q, 4> a total LTL^x(^) formula and let fee a valuation 
function. Suppose that At — {St,Sj^,A,B,-^,Ft) is the product automaton of 
the pair (T, go) ^.i^d A,p and fo is a control strategy of T so that a \= (j) for all 
(J G Out{qo, fo) ■ Then, for control strategy fT '■ {St)^ ^ A with /t — /o ° "^T, we 
have 

(1) ttT G Out°°{{qo,xo),fT) implies TT(ar) G Oiit°° (go, /o), 

(2) for any G Out{{qo, xq), fr) , ot is accepted by A^^^. 

Proof. Let fT — fo ° '^t- Then (1) follows from /t = /o ° '^t, Definition 15.51 
and the definition of outcomes. Next, we prove (2). Let <tt G Out{{qQ,xo), fT)- Then 
by Definition 15.51 and the definition of Out((go, xo), /t), it is enough to show that 
there exists (g,x) G Ft such that (g,a;) appears infinitely often in ctt- By (1) and 
(Tt G Out{{qo, xo), fT), we obtain Tt(o't) € Out{qo, fo)- Then since cr \= (f> for all a G 
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(qo,xo) 

V \" ' 

iqo,xo) {q3,X2) (qi,X2) 
ig5,xi) (qe,xi) (q2,xi) (_qo,Xo) 



(go, xo) 
igi, xi)>{q2, Xt) 

(93,^:2) (<?4, ^2) 



(1,^0, fli, {2,3}) 




ai ar- 
{2,qi,a2, {1}) (3,t/2,a3, (4, 5})] 

(4,g3,a5, {3}) (5,<74,a6, {!)) 




Reactive plan 



Fig. 5.1. Construction of reactive plan 



Out{qQ, fo), Y[C^t{o't)) is accepted by Ac/,. Moreover, it follows from Definition 15.51 
that 

TAiarM TA{aT)[^ + 1] for all i e N. (5.1) 

Further, since is total, Ta^ctt) is a unique sequence satisfying (|5.ip . Then, since 
n(TT(o'T)) is accepted by A^, Ta{<Jt) is accepted by Acf,. Thus it follows that there 
exists X £ F such that x appears infinitely often in TaIc^t)- So, since T is finite, 
there exists a state q of T such that {q,x) appears infinitely often in ctt- D 

In the following, we take two steps to construct the desired reactive plan. In the 
first step, we will construct a finite transition transition T/^ based on Out°"{{qo,xo), Jt) 
such that all trajectories of Tfin are runs accepted by A^^ . In the second step, we may 
easily obtain a reactive plan from Tfin so that the trajectories generated by this reac- 
tive plan are exactly the Ty— projections of trajectories of Tfi^- Then by Lemma l5.6| 
this reactive plan satisfies 0. Fig 15.11 illustrates these two steps. To construct the 
finite transition transition Tfjn, we introduce the following function. 

Definition 5.8. LetT — {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system, qo £ Q, (j) a total LTL-xO^) formula and let Y[ be a valuation 
function. Suppose that A^ — {St, Sj-, A, B, — >, Ft) is the product automaton of the 
pair (T, go) '"^'^ -^^^ fo is a control strategy of T and /t = /o o ^T- The function 
ReN : Out°°{{qQ, xq), fT) — i- N U {cxd} is defined as for any ut G Out°°{{qo, xq), fT), 

ReN(aT) — inf{n : there exist i < n such that aT[i] — aT[n\ G Ft}- 

Here, inf0 — oo. Intuitively, ReN{aT) < oo means that there exists an accepting 
state in Ft occurring in ut at least two times. Given a run (Tt accepted by A'^^^, 
by Definition 15.51 and 15.81 we have ctt [j] — [n] € Ft for some j < n and then 
ReN{aT) — n < oo. It is easy to check that (Tt[1, j] o {aT[j + l,^^])" is also a run 
accepted by , where {(TT[j+l,n])'^ = aT[j+i,n]o<jT[j+l,n]o- ■ ■ . Inspired by this 
fact, we will construct a finite transition transition Tfin based on Out°°((goj 2;o), /t) 
such that the trajectories of Tfj^ are runs accepted by A'^ . 

Definition 5.9. LetT — {Q,A,B, — >,0,H) be a finite, non-blocking alternat- 
ing transition system, qo £ Q, (j) a total LTL^xi^) formula and let &e a valuation 
function. Suppose that Alf^ — {St, S^, A, B, Ft) is the product automaton of the 
pair {T,qo) and A,p, fo is a control strategy of T and /t = /o ° ^t- The accepting 
transition system w.r.t. qo '^^'^ defined as 

Tfin{A^^q,,fT) =< Sf,A, -^f,lab >, 



CONTROL STRATEGY ALGORITHM FOR ALTERNATING SYSTEMS 



15 



where 

m Sf — {st G Out^ {{qq, xq), /t) ■ ReN{sT) — oo}. That is, the set Sf contains 
all St G Oui^(((7oj a;o), /t) in which each accepting state occurs at most one time; 

• —^f(- Sf X A X Sf is a transition relation defined as: st —^f s'j, if and only if 

a = /t(st) o,Tid for some {q,x) G St and b ^ B, ST[end] — > {q,x) and one of the 
following holds: 

(1) St ° iq,x) = sip, or 

(2) ReN{sT ° {q, x)) < oo, s'j, < st ° (<Z, x) and s'rp[end] = (g, x) 0; 

• lab : Sf — St is a label function defined as: for any st Sf , lab(sT) = ST[end]. 
An infinite sequence gt G {^t)^ is said to be a trajectory of Tfifi{AT q^, fr) if and 

only if there exists an infinite sequence s^s|i • • • over Sf such that St = (goj^^o) and 
for any i G N, lab(slp) = (TtW and s^^. 

The left and middle figures in Fig 15.11 illustrate the above construction. In this 
figure, the nodes labeled by accepting states of At are identified in boldface type. In 
the left figure in Fig |5.11 consider the trajectory ctt = {qo, xo){qi, xi){qo, xo){q5,xi) ■ ■ ■ . 
Clearly, none of accepting states occurs in crT[l] or (Tt[1,2] two times, while the ac- 
cepting state {qo,xo) occurs in i77'[l,3] two times. Thus by Definition 15.81 and 15.91 
we have tTT[l], Til, 2] G Sf and crT[l,3] ^ 5/. Then cttII] and ctt[1,2] are labeled 
by {qo,xo) and {qi,xi), respectively. Furthermore, by the definition of — s-y, one may 
check that cttII] crT[l,2] and crT[l,2] crT[l]. 

The following result reveals that the state set of T/i„(^y , /t) is finite and its 

trajectories are runs accepted by At q^ ■ 

Lemma 5.10. Let T = {Q,A,B, — >,0,H) be a finite, non-blocking alternating 
transition system, q^ ^ Q, <j) a total LTL^xi^) formula and let Y[ be a valuation 
function. Suppose that At q^ is the product automaton of the pair (T, go) and A^ and 
fo is a control strategy of T so that a \^ (j) for all a G Out(qo, /q). Let /t — /o ° '^T 
and let Tfin{AT q^, fx) —< Sf,A,^f,lab > be the accepting transition system w.r.t. 

At qg and fT- Then the following conclusions hold: 

(1) The set Sf is finite and non-empty. 

(2) The trajectory ut of Tfjn{AT q^, fr) is a run accepted by • 

(3) For any st G 5/ and for any state q ofT, ifTT{sT[Gnd]) — > q for some 

b E B, then there exists s't G Sf such that st '^^^ / s't and Tj'(s^p)[en(i] = q. 
Proof. See Appendix A. □ 

Now we may generate the desired reactive plan from r^(^^ /t). 

Definition 5.11. Let T be a finite, non-blocking alternating transition system, 
qo a state T, (j) a total LTL-x(P) formula and let Y[ be a valuation function. Suppose 
that A^ qg is the product automaton of the pair (T, go) and A^ and fo is a control 
strategy of T so that a \= cf) for all a G Out{qo, fo). Let /t = /o ° and let 
Tfin{Ai^q^,fT) —< Sf,A,^f,lab > be the accepting transition system w.r.t. A"^ q^ 
and fT with Sf = {st, St, ■ • ■ , s™} and = (go,xo). Then the set RP{Tfin) consists 
of all SCRs (i, TT{sT[end]),ai, Ni) such that 

(1) 1 <i<m, 

(2) Oi = fTislp), and 

(3) N, = {j en-.slr ^f 4}- 



-< St o [q, x) means that s'j, is a proper prefix of st o [q, x), i.e., st ° (?, 

4 e {St)+. 



= sips'^ for some 
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The right in Fig 15.11 illustrates the above construction w.r.t. T^^ (i.e., the middle 
one in Fig |5.ip . In this figure, each plan state corresponds to a unique state ofTfin and 
the action to be executed in each plan state is set to be the one in the corresponding 
state of T fin. According to (3) in Lemma [5.101 and Definition 13. 1[ RP{Tfin) defined 
above is a reactive plan. In the following, we demonstrate that this reactive plan 
satisfies <j). 

Theorem 5.12. LetT ~ {Q,A,B, — >,0,H) be a finite, non-blocking alternating 
transition system, ^ Q, (f> a total LTL^xi^) formula and let Y\ : Q 2^ be a 
valuation function. Suppose that -^t qo product automaton of the pair (T, qg) 

and Ac/, and /q is a control strategy of T so that a \= (j) for all a G Out{qo, fo). Let 
fx = fo°'^T, Tfin{A^ /t) the accepting transition system w.r.t. A'^ and fT and 
let RP{Tfin) = {{i,TT{s^j,[end]),ai, Ni) : 1 <i < m} be the reactive plan defined by 
Definition \5.11l Then for any trajectory a generated by the reactive plan RP{Tfin), 
we have a \= 4>. 

Proof. Let cr be a trajectory generated by the reactive plan RP{Tfin). So by 
Definition 13. 2[ there exists an infinite sequence iiZ2 ■ ■ ■ of plan states in RP{Tfin) 
such that 

i^ = 1, a[j] = Tt(sj? [end]) and ij+i G A^;^ for all j e N. (5.2) 



We set (TT = [endjs^ [end] • • • . Clearly, Tt(ctt) — c Therefore, by Lemma EH 
and 15.101 in order to prove a \= (f), it suffices to show that ctt is a trajectory of 
TfiniAi^^g^Jr)- 

It follows from ii — 1 and Definition 15 . 1 1 1 that = {qo,xo). Let j e N. By (|5.2p . 

^ at . 

we have ij+i G Ni. . Further, it follows from Definition 15.91 and 15.111 that — ^ / 

s^+\ Thus by Definition 15. 9[ ctt is a trajectory of T/inl-^Tgo' desired. □ 

Now we arrive at the main result of this section. 

Theorem 5.13. For any finite, non-blocking alternating transition system T = 
{Q,A,B, — >,0,H), LTL_x{P) formula (j) and valuation function Y\, if (j) is total and 
there exists a state q of T and a control strategy f : — > A such that cr ^ for all 
a G Out{q,f), then the control strategy algorithm can find an initial .state q' and a 
control strategy f : A so that a \= (f> for all a G Out{q' , /'). 

Proof. Let T = {Q, A, B, — s>, O, H) be a finite, non-blocking alternating transition 
system, an LTL_x(IP) formula and J| : Q — ?> 2' a valuation function. Suppose that 
(j) is total and there exists a state q oi T and a control strategy / : A such 

that cr ^ for all a G Out{q, /). Then, by Theorem [US] and Definition [5l] and EHH 
there exists a reactive plan RP{Tfin) of T such that all trajectories generated by this 
reactive plan satisfy (p. Therefore, by CoroUarv 14.111 the control strategy algorithm 
can find an initial state q' and a control strategy fap : A so that a \= (p io^ all 

a ^Out{q',fB,p). □ 

6. Conclusion and future work. Pola and Tabuada have introduced finite ab- 
stractions for control systems S with disturbance inputs [531 [53]. However, since these 
finite abstractions are modeled by finite, non-blocking alternating transition systems 
rather than usual transition systems, the approaches provided in [9] [27] [29] are not 
suitable for finding control strategies for Pola and Tabuada's abstractions. To over- 
come this defect, this paper presents a control strategy algorithm based on Kabanza 
et al.'s planning algorithm (see Algorithm [Ij . This control strategy algorithm can be 
used to find an initial state and a control strategy of finite, non-blocking alternating 
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transition system enforcing an given LTL_x formula. The correctness and complete- 
ness of this algorithm are explored. We demonstrate that this algorithm is correct 
(see Theorem 15. 1|) and is complete w.r.t total LTL_x formulas (see Theorem I5.13p . 
But it is still an open problem: whether Theorem 15 . 131 holds for all LTL_x formulas. 
We will explore this problem in further work. 

Now, we may adopt the control strategy algorithm to find an initial state and a 
control strategy of Pola and Tabuada's finite abstraction enforcing an LTL_x formula 
(j). However, the control problem in the design of control system is; 

Problem 2. Given a control system E with disturbance inputs and an LTL-x 
formula Lp as specification, how to construct a feedback controller such that all trajec- 
tories of S with this controller satisfy if even in the presence of disturbance inputs ? 

Thus a natural question arises at this point: if an initial state and a control 
strategy of finite abstraction enforcing an LTL_x formula ip have been found, whether 
the controller for finite abstraction can be applied to the original systems to meet (p7 
We have dealt with this problem in [33] . 

Appendix A. 

In this appendix, we fix a finite, non-blocking alternating transition system T = 
{Q,A,B, — >,0,H), an initial state qo ^ Q, a total LTL_x(IP) formula 0, = 
{S, {xq}, 2^, -^A^, I -P"); a valuation function J| : Q — )■ 2^", a control strategy /o : — >■ 
A such that cr ^ for aU a £ Out{qo, /o). Suppose that A^j. ^^ = {St, S^, A, B, Ft) 
is the product automaton of the pair (T, qq) and A,/, (see Definition [53]) , and the con- 
trol strategy /t : (St)^ A is defined as /t — .fo ° T^- Before proving Lemma [5.101 
we provide two auxiliary results. 

Lemma A. 1. (1) For any a G Out[qQ, fo), there exists a unique ut G Out{{qQ, xq), fT) 
such that Tt{(Jt) = c- 

(2) For any s € Out^{qo, fa), there exists a unique st G Out+((qo, a;o), /t) such 
that Tt{st) — s. 

(3) For any aT G Out°°{{qo,xo), fr), if ReN{aT) = n then for any k < n, 
ReN{aT[l,k]) = oo. 

Proof. (1) Let cr G Out{qQ, fo). Then a \^ (p. It follows from Definition 12.41 that 
Y\{cr) 1= (f>. Then Yl{a-) is accepted by A^. Thus by Definition 15.21 and 15.31 there 
exists a run xiX2 ■ ■ ■ G 5" accepted by Acj, such that 

Xi = Xq and Xi ^^'*> .4^ Xi^i for all i G N. (A.l) 
Moreover, it follows from a G OutTiqa, fa) that for any i G N, there exists 6,; G B 

such that a[i] '^°''°^^"'"''^"'''''> (T[i + 1]. This together with (|A.1|) and Definition 15 . 5 1 implies 
that for any i G N, 

{a[i],x,) ^°^"'^-'"-^') {a[z + l],x,+i). (A.2) 

We set aT = (cr[l], xi)(ct[2], X2) • • • . Clearly, TTi^T) = f and fTT[l] = {qo,xo)- 
Furthermore, since fr — fo ° ^t, we get /T(crT[l,i]) = /o(o'[l,j]) for all i G N. 

Thus it follows from (|A.2p that for any i G N, {a[i],Xi) '- — '- — > (cr[i + l],a;i+i). 

Therefore, we obtain ctt G Out((qQ,xo), fr)- 

To show the uniqueness of such ctt, let a'rp G Out{{qo,xo), Jt) and TTi^'j^) = 
a. Then since A^ is total, there exists a unique run x\X2 ■ ■ ■ such that xi = xq 

and Xi ^'''^^'^"'> ^^ Xi+i for all i G N. So by Definition 15.51 it is easy to check that 
T^((T^) = T^((T7'). Then it follows from TT(cr^) = a = TTi^T) that cr^ = aT- 
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(2) Let s £ Out^{qQ, /o). Then by the definition of Out+(qo, /o) a-nd Out{qf), /q), 
s is a prefix of a for some a £ Out{qQ, /q). So by (1), there exists ar G Out{{qQ, xq), Jt) 
such that Tt((Tt) = c and ut is accepted by ^^qo- Thus we have Tt{ot[^^ \s\\) = s 
and (Tt[1,|s|] £ Out~^{{qo,Xo), fr)- Similar to (1), we may show that (Tt[1,|s|] is a 
unique sequence satisfying the condition. 

(3) Follows from Definition EH □ 

Lemma A. 2. There exists n £N such that for all ut £ Out{{qQ, xq), fx), we have 
ReN{aT) < n. 

Proof. Suppose that for any n 6 N, there exists aJ^ £ Out{{qo,xo), fr) such that 
ReN{a^) > n. We will give a contradiction. To this end, the following claim is 
provided first. 

Claim. We may construct an infinite sequence ctt 6 {St)'^ satisfying that for any 
fc e N, there exist h £ N{i £ N) with fci < ^2 < fca < • • • such that a!p [1, fc] = crT[l, k] 
for any i £N. 

We construct such a sequence by induction on k. Let k — 1. We set (Jt[1] = 
(qoyXo) and h = i for each i £ N. Then for any i £ N, alp[l] — a^[l] = {qo,xo) = 
(7t[1] follows from cr^ £ Out{{qo,xo), fx)- 

Suppose that k — m + 1 and we have found aT[l,rn] and rrii £ N(i £ N) with 
mi < TO2 < ma < • • ■ such that cr™' [1, m] — (Tt[1, to] for all « £ N. Since St is finite, 
the set {cr™' [to+1] : i e N} is finite. So there exists {qt, Xk) £ {c™' [to+1] : j G N} and 
ki £ {mi, TO2, • • ■ }(i G N) with fci < fc2 < ^3 < • ■ • such that a^' [m + 1] = (qk, Xk) for 
all i G N. We set arik] = {qk,Xk)- Thus it follows that ct^' [1, fc] crri^, to] o((jfj,, 2;^) = 
aT[l,k] for ah i £ N. 

Now, we return to the proof of this lemma. It is easy to check that ctt G 
Out{{qo,Xo), fx)- Then by Lemma [5.71 ctt is accepted by AI^^^. To obtain a contra- 
diction, we will show that ax is not accepted by Ax below. 

Let A; G N. Since ki < k2 < ■ ■ ■ , there exists it G {fci, fc2, • • • } such that ik > k. 
So by the above claim and the supposition at the beginning of the proof, we obtain 
(T^[l,fc] — ax[l,k] and ReN{al^) > ik > k. Further, by Definition 15.81 we have 
ReN{ax) > ik > k. Then, since k is an arbitrary nature number, we get ReN{ax) = 
00. Since the accepting state set Fx is finite, it follows from Definition 15.81 and 
ReN{ax) = 00 that there does not exist (g, x) £ Fx such that (g, x) appears infinitely 
often in ax- So ax is not accepted by Ax^^. □ 

Lemma \5. 1(A Let T = {Q,A,B^ — >,0,H) be a finite, non-blocking alternating 
transition system, qa £ Q, cf) a total LTL-x{^) formula, Acj, = (5, {xo}, 2*", , _F) 
and letW : Q ^ 2^ be a valuation function. Suppose that Ax = {Sx, S^, A, B, — Fx) 
is the product automaton of the pair (T, go) and A^ and fo is a control strategy ofT so 
that a \= 4> for all a £ Out{qo, fo)- Let fx = fo° Tt and let Tfin{Ax , /t) =< Sf, 
A, -^f, lab > be the accepting transition system w.r.t. Ax q^ and fx. Then the follow- 
ing conclusions hold: 

(1) The set Sf is finite and non-empty. 

(2) The trajectory ax of Tfin{Ax q^, fr) is a run accepted by Axq^- 

(3) For any sx £ Sf and for any state q £ Q of T , if Tx{sx[end\) > q for 

some b £ B, then there exists s'x G Sf such that sx ^'^> / s'x and Tx{sx)[end] — q. 

Proof. (1) Clearly, (go, 2:0) G Sf and then Sf is non-empty. Next, we show that 
Sf is finite. By Lemma IA.21 there exists n £ N such that ReN{ax) < n for any 
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ax G Out({qf), xq), fx). Since St — Q 'x S is finite, OuV-{{qQ,x^), fx) is finite for any 
i e N and then lJi<ri '^'"^'((^Oi 2;o), /t) is finite. So to complete the proof, we just 
need to show that Sf C lJi<n '^^**(('70j a^o), /t)- 

Let St ^ Sf. Then by Definition 15. 9[ we have ReN{sT) — oo. On the other side, 
by Lemma 15.71 we obtain Tt{st) G Out^ {qo, /q). Then, since T is non-blocking, 
by Definition 14. 1[ there exists a G Out{qo, fo) such that Tt(st) is a prefix of a. 
Thus by Lemma lA.U there exists ctt G Out{{qo,XQ), Jt) such that st is a prefix 
of Ctt. Further, since ReN{aT) < n and ReN{sT) = oo, by Definition 15.81 we get 
\st\ < ReN{aT) < n. 

(2) Let Ctt be a trajectory of T/,i„(y^^ , /t). Then by (2) in Lemma [??71 it is 
enough to show that ctt £ Out{{qo, xq), /t). By Definition l5.9[ there exists a sequence 
s-^s^n • • • over Sf such that 

^T ~ ilOi ^o) and for any z € N, s^[e7T.d] = ctt[«] and --^/ sljt~^ . 
Thus it follows from Definition 15.91 that ctt[1] = {qo,xo) and for any i G N, there 

exists {q,x) G ^T and b G B such that = frisr), <^T[i] (<?, 2;) and s^^[en(i] = 
CTT[i + 1] = {q,x). Then it follows that ctt G Out((qQ,xa), Jt)- 

(3) Let St G 5/, q G Q, ReN{sT) — 00 and TT{sT[end]) ^ q for some 

b £ B. For convenience, we put s = Tt(st)- By (1) in Lemma 15. 7[ we have s G 

Out+(go,/o)- Then it follows from s[enc?] ^ g and /t(st) = /ols) that sq G 

Out"*" (go J /o)- So by (2) in Lemma [A. 11 there exists a unique G Out'^{{qo,xo), /t) 
such that Tt(st) — Similarly, st is a unique sequence in Out^{{qo,xo), Jt) such 
that Tt(st) = s. Thus st ° (g, a;) = for some state x £ S of Atp. If ReN(s'rp) = 00 

then by Definition 15.91 we obtain s'j, G Sf, st ^'^^ / St ^'^'^ TT(s^p[e?id]) ~ q. 
Suppose that ReN(s'rp) < 00. Then since ReN(sT) = 00 and st o {q,x) — s^, by 
Definition 15.81 there exists ^ such that s'^[end] — s'rp[end] and ReN{s'^) = 00. 

Further, by Definition 15.91 we have s't G Sf, st >f s't and TT{sT[end\) = q. D 
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